Swift hacks expose bank security weaknesses
Security breaches that have allowed hackers to infiltrate Swift’s messaging network have raised questions about the safety of the messaging network, but the problems might rest with the individual banks.
A hack on Bangladesh Bank in February resulted in the theft of $81 million, with fraudulent messages pushed along Swift channels. Although it was the most high-profile attack via Swift, Bangladesh Bank is not believed to have been the only bank that fell victim to the hackers.
However, while the breach affected the banks on Swift’s network, it seems the weakness was not the messaging network itself.
Robert Browning, senior vice-president of financial messaging at D+H, a financial technology provider, says: “From the information that has been made available, it seems the breaches happened in a traditional way. The hackers have found a vulnerability and created fraudulent documents to obtain funds. Swift pride themselves on their security, and there is no indication of a network hack.”
The banking industry also seems to remain confident in the safety of Swift.
Mark Evans, managing director, transaction banking, at ANZ, says: “As a bank, we remain confident in Swift as a service provider. It is the service being used to implement Australia’s real-time payments network. It has a long history of providing a high quality of service.”
That said, Swift is taking steps to understand what happened and share that information with its wider community.
A spokesperson says: “Swift continues to gather information on recent cases and attempted cases of input fraud at customer firms, and is sharing anonymized information on those cases and related tools with its user community to help them better protect their systems.”
The messaging provider has been proactive in assisting its bank network to improve security. In July, it launched the customer security programme (CSP), which includes IT specialists to investigate security issues.
The provider also launched a two-factor authentication process as part of its standards update. The service, which also includes stronger password-management rules and enhanced integrity checking features, is mandated for clients to update by November 19.
The focus now seems to be on the banks themselves, and the levels of protection they have in place.
Nadav Shatz, managing director of Comsec Consulting, a cybersecurity firm, says the banks have their role to play, adding: “Swift is the provider, but the software, hardware component and the terminals are maintained by the banks.”
ANZ’s Evans adds: “The bank does not use Swift as its sole protective barrier from cyber-attack on its transactions. Banks should ensure they have their own security systems up to date. We take cyber security seriously and have processes in place to detect and prevent fraudulent transactions.”
Shatz says the banks need to understand that while Swift will ensure everything is installed safely, it is the banks' responsibility to ensure the standards are maintained.
“As Swift provides the solution, Swift should have proper assurances it is secure ‘out-of-the-box’ and also securely implemented and maintained by a member bank," he says. "It is a matter of cooperation and shared responsibility when it comes to security. The banks cannot rely solely on Swift.”
Shatz explains that if hackers are able to find a point of access into the network and exploit it, it could have far wider implications for all users of the messaging network.
“If the hackers can find a way to penetrate a bank, they can obtain access across to specific systems, including third-party systems and networks," he says. "It comes down to the weakest link. When they have found a vulnerability in one environment, they can leverage the attack and get access to other systems.”
While some customers are raising their concerns about hackers gaining access to the network, D+H's Browning cautions there needs to be a proportionate reaction to the scale of the threat.
“There is a risk of a knee-jerk reaction," he says. "We have to remember the basic, traditional methods used that led to these breaches. First, Swift members need to get the cyber-security basics right, either in-house or by leveraging a service bureau, and then start to adopt more sophisticated security features, such as multi-factor authentication.
“We have had requests from customers asking about biometrics. We want to make the systems secure, but this may not be wholly justified looking at the nature of the attacks that have taken place.”
Tackling the issue of the banks’ standards in their approach towards cybercrime could help Swift beef up its network. Swift CEO Gottfried Leibbrandt has previously called for the provider and the banks to collaborate more closely on tackling cybercrime.
Comsec's Shatz notes that Swift has taken steps to update information to banks on how to keep safe, but it might benefit from taking a more focused approach on checking standards are being met.
“The next step could be to create an audit framework and member-bank assurance to maintain and secure their service with every member bank," he says. "This type of regulation does not currently exist on the network.
“Swift may need to reconsider the security assurance around the solution, and the guidance they provide to make sure their members use and implement the solution securely.”
Some parts of the business are already undergoing regular checks to be allowed continued access to the network. Browning explains that, as a service bureau, D+H will go through rigorous auditing to ensure it is meeting required standards.
“As a service bureau, we have to go through regulation certifications with Swift," he says. "This involves providing documents and having our processes checked by Swift.”
Alternatively, looking for a new solution that moves away from the weaknesses in the Swift-to-bank network could be a solution.
Enrico Camerinelli, senior analyst at Aite Group, a research firm, says bringing systems up to standard would require a huge overhaul, adding: “The infrastructure in place is old and has its limits. Anything implemented now is just putting patches on the holes, and another hacker will find their way through.
"There needs to be a review of the whole infrastructure.”
Camerinelli suggests that if the banks are having to make changes, they could use it as an opportunity for a radical overhaul.
“Nobody would argue that the biggest problems facing the banks today are not regulation but cybercrime. Blockchain isn’t impenetrable to cybercrime, but it requires a much higher level of skill to break through.”